The United States has historically relied on the private sector to protect itself from cyber threats. However, the recent spike in major ransomware and supply chain attacks has prompted the government to step in with a series of new cybersecurity regulations.
A New Regulatory Environment
Included among the impending regulations are new reporting, supply chain management and, potentially, data privacy requirements. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), signed into law by President Biden in March, targets organizations operating in critical infrastructure sectors, such as telecommunications, healthcare, energy and transportation. CIRCIA mandates reporting of cyber incidents and ransom payments to the Cybersecurity & Infrastructure Security Agency within tight time frames: Identified cyber incidents must be reported within 72 hours, while any ransomware payments must be disclosed within 24 hours.
The U.S. Securities and Exchange Commission (SEC) is also rolling out its own new reporting requirements. In the interest of protecting investors from potential cyber risk, the SEC will require publicly traded companies to report “material” security incidents within four days.
The software supply chain is another area of focus for the government. In 2021, President Biden issued an executive order and set of cybersecurity initiatives that, among other provisions, aimed to mitigate supply chain attacks. Now, the Food and Drug Administration is issuing new rules for medical device manufacturers requiring them to maintain a software inventory and regularly assess their systems’ vulnerabilities.
Landmark legislation covering data privacy is also being debated in Congress. Similar to the European Union’s GDPR, the American Data Privacy and Protection Act would impose nationwide regulations on the collection, processing and transfer of personal data.
How to Prepare
As these regulations are finalized, organizations have an opportunity to assess the potential impact and start implementing compliance measures. Here are some steps you can take prepare:
- Review and update policies and procedures: Having actionable security policies and procedures helps ensure that compliance requirements are baked into your organizational processes, demonstrating a mature security program to regulators. Also, several impending regulations hinge upon subjective terms, such as “material incidents,” making it imperative to clearly define specific security events and document associated protocols.
- Develop and test an incident response plan: To comply with new reporting requirements, organizations should develop a detailed incident response playbook clearly describing how incidents are identified, confirmed and reported. This plan should be regularly tested and reviewed to ensure that reporting deadlines can be met.
- Maintain a software bill of materials (SBOM): As new supply chain rules come into effect, maintain an SBOM will be critical to achieving compliance. An SBOM provides visibility into your organization’s exposure to third-party software, allowing you to identify and remediate vulnerabilities.
Looking for help? The experts at MBL Technologies are well-versed in the latest security and privacy regulations. With our comprehensive cybersecurity services, we can assess your security program to identify any regulatory gaps and devise cost-effective, sustainable solutions.